Enabling extended logging

You can enable extended logging for the following UTM profiles:

antivirus
application
dlp
ips
waf
webfilter

When you enable the extended-log option for UTM profiles, all HTTP header information for HTTP-deny traffic is logged.

When you enable the web-extended-all-action-log-enable option for webfilter profile, all HTTP header information for HTTP-allow traffic is logged.

Extended logging option in UTM profiles

The extended-log option has been added to all UTM profiles, for example:

config webfilter profile
    edit "test-webfilter"
        set extended-log enable
        set web-extended-all-action-log enable
    next
end
config antivirus profile
    edit "av-proxy-test"
        set extended-log enable
    next
end
config waf profile
    edit "test-waf"
        set extended-log enable
    next
end

Syslog server mode

The Syslog server mode changed to udp, reliable, and legacy-reliable. You must set the mode to reliable to support extended logging, for example:

config log syslogd setting
    set status enable
    set server "<ip address>"
    set mode reliable
    set facility local6
end

Example of an extended log

Following is an example extended log for a utm log type with a webfilter subtype for a reliable Syslog server. The rawdata field contains the extended log data.

2: date=2022-03-07 time=14:15:27 eventtime=1646691327786322587 tz="-0800" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" policyid=1 poluuid="fe85f37c-9dd9-51ec-904d-5af91079efbb" policytype="policy" sessionid=7284 srcip=10.1.100.18 srcport=50856 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="69dc4a54-9d99-51ec-16ee-395d60cceac6" dstip=142.250.69.196 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="69dc4a54-9d99-51ec-16ee-395d60cceac6" proto=6 httpmethod="GET" service="HTTPS" hostname="http://www.google.com" forwardedfor="192.168.0.99" agent="curl/7.56.0" profile="webfilter" action="blocked" reqtype="referral" url="https://www.google.com/" referralurl="https://example.com/referer.html" sentbyte=869 rcvdbyte=4313 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=41 catdesc="Search Engines and Portals" rawdata="x-forwarded-for=192.168.0.99"

Enabling extended logging

You can enable extended logging for the following UTM profiles:

antivirus

application

dlp

ips

waf

webfilter

When you enable the extended-log option for UTM profiles, all HTTP header information for HTTP-deny traffic is logged.

When you enable the web-extended-all-action-log-enable option for webfilter profile, all HTTP header information for HTTP-allow traffic is logged.

Extended logging option in UTM profiles

The extended-log option has been added to all UTM profiles, for example:

config webfilter profile edit "test-webfilter" set extended-log enable set web-extended-all-action-log enable next end config antivirus profile edit "av-proxy-test" set extended-log enable next end config waf profile edit "test-waf" set extended-log enable next end

Syslog server mode

The Syslog server mode changed to udp, reliable, and legacy-reliable. You must set the mode to reliable to support extended logging, for example:

config log syslogd setting set status enable set server "<ip address>" set mode reliable set facility local6 end

Example of an extended log

Following is an example extended log for a utm log type with a webfilter subtype for a reliable Syslog server. The rawdata field contains the extended log data.

2: date=2022-03-07 time=14:15:27 eventtime=1646691327786322587 tz="-0800" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" policyid=1 poluuid="fe85f37c-9dd9-51ec-904d-5af91079efbb" policytype="policy" sessionid=7284 srcip=10.1.100.18 srcport=50856 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="69dc4a54-9d99-51ec-16ee-395d60cceac6" dstip=142.250.69.196 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="69dc4a54-9d99-51ec-16ee-395d60cceac6" proto=6 httpmethod="GET" service="HTTPS" hostname="http://www.google.com" forwardedfor="192.168.0.99" agent="curl/7.56.0" profile="webfilter" action="blocked" reqtype="referral" url="https://www.google.com/" referralurl="https://example.com/referer.html" sentbyte=869 rcvdbyte=4313 direction="outgoing" msg="URL belongs to a denied category in policy" ratemethod="domain" cat=41 catdesc="Search Engines and Portals" rawdata="x-forwarded-for=192.168.0.99"

FortiOS Log Message Reference

Enabling extended logging